Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Maybe one for JohnPoole 1

Status
Not open for further replies.

pbxn

IS-IT--Management
Jan 5, 2005
971
US
Spoofing is growing at a rapid pace, and of course being the switch guy at a bank, its my job to help prevent such attacks.
So with that said, say there was something out there where you dial a number, enter you pin, enter the number you want to call, the outgoing clid you want to send to that party how do you defend against it?
I have used it for part of a social engineering test, and have trac'd it coming in to my switch. These calls offer no distiction from a regular caller (just 10 digits come in)
Now I have talked to my local bell rep, they were shocked on how this is done and are looking into on their end. This thing can be used for alot of differant questionable ways.
So am I safe to say that I am going to have to rely on my LEC/CLEC to figure this one out?
 
i could build that in an 81, as long as the provider gives me a clear channel to send any cild i want.. it would more then likely be set up with a bank of clids and you could pick a clid before the call was dialed.. i don't think your lec will be able to break that in as much as there is nothing in the string that gives away to orig party.. if i was on an island with a dms and a 81c, i could call from the oval office non publidhed if i wanted to..

john poole
bellsouth business
columbia,sc
 
Yeah this service let's you pick whatever clid you want to send, male voice, female voice, or your own. Needless to say it is good enough for my internal test calls to fail calling employees.
Its good to say the least. I guess the only thing I can do is rule with and iron fist here and make sure employee's are adhearing to company policy.
Thanks again John
 
90 percent of net security that is bypassed happens when users share passwords... that would mean that we pay ip security people 90 percent to much?

john poole
bellsouth business
columbia,sc
 
Ok that made me laugh. have a star on me.
 
This is something that has been available for years, it is just that new fraud techniques make this more of an issue. Check out these links:



These are just a few of many service providers that allow you to make a call and present it using another number as the originator. Caller ID spoofing allows a caller to change the number, not the name, of where they are calling from. The SS7 database maintained by the telcos is where the name comes from. For example, I could make a call, using this service, and pretend I am calling from the White House. As long as I know the number, the SS7 database does the lookup for a matching name, thus you get name and number.

Caller ID uses ones to present the data to the Caller ID box during the first ring, so anyone who can send alternate tones can make this work. I did some research for the bank I used to work for about 18 months ago, and there were a ton of sites that could do this for you.

This is only the beginning,

Hope this helps,

Scott M.
 
The spoofcard was the one I have been using. I'm sure its been around awhile, fraud seems to be growing by leaps and bounds in the banking side, hence my interest.
 
knowledge is the cure, but it is getting to be rare.. clid or name display should never be mistaken for valid id.. if i got a call from the whitehouse (or worse visa) i would need more then caller id before i gave out my ssn, let alone my pins..

all we know is that it will get worse, keep your customers on there toes..

john poole
bellsouth business
columbia,sc
 
Very true, but we all know most people take Caller ID as the gospel when they receive a call. It would be (and has been done) for someone to spoof the number of a bank, call that person with just enough info for them to give up everything needed to compromise their account. When I was with the bank that was the reason I did the research, and we sent out documentation about how easy this was, as well as steps to protect the consumer.

I know I use Caller ID to see who is calling, so if I were to use that as a first line of verification, it would not be hard to convince most people I was calling from where the "Box" said I was calling from. Usually people use things like the White House as a joke, but a local bank would not be near as funny, nor as suspicious.

Scott M.
 
I totally agree srmega. The social engineering aspect of the scammers is getting more and more advanced as the hours pass. It was proven to my bank recently just how easy it is, especially when policy is not followed.
WE as tech's can look at a clid with an open mind and not feel as compelled to easily give out info. Users on the other hand, well we all know they read the first line of a policy, and sign their name on the bottom saying they have read and understood said policy.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top